Securing Security Tools SuriCon ö.wÏ Pierre Chiìier [email protected] French National Information Security Agency ö.wÏ ANSSI ◮ Created on July Åth ö..R, theANSSI (FrenchNetwork and Information SecurityAgency)isthe national authorityfor the defense and the security of information systems. ◮ Under the authority of the Prime Minister ◮ Main missions are: ◮ prevention ◮ defense of information systems ◮ awareness-rising http://www.ssi.gouv.fr/en/ ANSSI Securing Security Tools ö/öÏ Securing Security Tools Objectives of this talk: ◮ Improving security of tools ◮ Not on small steps,but trying to solve problems ◮ Consider alternatives to common solutions ◮ Test our claims ANSSI Securing Security Tools é/öÏ What is a network IDS ? A device that ◮ monitors network for malicious activity ◮ does stateful protocol analysis ◮ raises alerts to the administrators ◮ has to be fast ANSSI Securing Security Tools ÿ/öÏ What is a network IDS ? From the security point of view, a NIDS is: ◮ exposed to malicious traíc ◮ running lots of protocols dissectors ◮ connected to the admin network ◮ coded for performance ANSSI Securing Security Tools ó/öÏ Root causes ◮ Bad speciícations ◮ when they exist ◮ Design complexity and attack surface ◮ Formats complexity ◮ Programming language ◮ Paradox: many security tools are not securely coded ◮ “I’ll íx it later” ◮ Infosec peopleconsidering it’s “not their job” ANSSI Securing Security Tools Ï/öÏ Mimimal solutions ◮ Finding vulns does not (really)help security! ◮ But it helps (raising awareness, demonstrating the problem,etc.) ◮ Thebug is íxed ◮ But what about the (probably many) others? ◮ Fuzzing is not the solution either ◮ Level . of securityaudit ◮ But it works ◮ Building secure tools provides much more value ◮ It’s also much morecomplicated ANSSI Securing Security Tools Å/öÏ Solutions ◮ Software environment: minimize consequences of a problem ◮ Software: try to avoid problems ANSSI Securing Security Tools Ï/öÏ Architecture Hardening: overview ◮ Reduced capabilities ◮ Isolated components ◮ Write ⊕ Execute ◮ Send-only mechanism for logs ◮ Tip: you can write data to a Unix socket in a RO-mounted partition ◮ Harden kernel ◮ Read-only containers (everything except /run) ◮ See [CFwÿ] (french) ANSSI Securing Security Tools R/öÏ Architecture m IDS IDS IDS Security collect 1 2 3 Monitored admin network network send in1 in2 in3 base system eth0 eth1 (ipsec) TAP ANSSI Securing Security Tools w./öÏ Hardening software ◮ Reduce attack surface ◮ Secure design: simple, isolated components ◮ Managed memory ANSSI Securing Security Tools ww/öÏ Suricata Note on Suricata ◮ Good points: ◮ Security awareness ◮ Coding style ◮ QA tools: unit tests,buildbot,etc. ◮ But can we getrid of potentialmemory problems ? ◮ Buéerover÷ows ◮ Pointer arithmetic ◮ Use-after-free ◮ ... ANSSI Securing Security Tools wö/öÏ Hardening software Design changes: ◮ Split components ◮ Use adequate language ◮ Easy to say ◮ Let’s try! ANSSI Securing Security Tools wé/öÏ The Rusticata proof of concept Motivations ◮ Isolate critical code (parsing) ◮ Parsers should focus on protocols, not pointers ◮ Keepperformance ◮ Build robust tools by design ANSSI Securing Security Tools wÿ/öÏ Why not C? How to code a secure parser in C: a. defensive programming → fail b. use QA tools: unit tests, etc. → fail c. usefuzzing → fail d. you’re the C god! → doubtful Results: not so good ◮ Parsing is hard (ex: JSON [SerwÏ]) ◮ For ex: Wireshark, Ï. vulns in öw.ó, óÅ in ö.wÏ ◮ Of course, my own code ANSSI Securing Security Tools wó/öÏ Alternatives ◮ OCaml, Haskell ◮ Python, Ruby, Perl ◮ Go, Rust ◮ C++, Java ◮ Lua ◮ Javascript See [JOwÿ] for why to exclude many of them ANSSI Securing Security Tools wÏ/öÏ Language choice Yet another language? We want thefollowing properties: ◮ Easy to embed ◮ Memory safety ◮ Strong typingw ◮ Thread safety ◮ No garbage collector (world stop) ◮ Fast data exchange with C ◮ Eêcient, avoid useless copies ◮ Good community Good candidate: Rust wWhich has nothing to do with pressing the keysharder ANSSI Securing Security Tools wÅ/öÏ Overview Rusticata: émain parts ◮ Suricata: fake app-layer (C) ◮ Rusticata: glue layer, wraps the C arguments for Rust (Rust) ◮ Rust parsers: independant projects (Rust) Notes ◮ Existing signature engine is used ◮ Log helper functions too ANSSI Securing Security Tools wÏ/öÏ Parser generator Nom [G.wó] allows to describe data, and generate the parser Reading bytes: Describing data: b1 = read_next_byte(&i); parse_record(&i) { type = b1 as u; type: be_u8, b2 = read_next_byte(&i); length: be_u16, b3 = read_next_byte(&i); } length = b2 >> 8 + b3; // big-endian Better readability ⇒ less bugs ANSSI Securing Security Tools wR/öÏ Example: the SSL/TLS parser ◮ Secure almost all internet communications ◮ Complex protocol [BBDL+wó] ◮ State-oriented parsing ◮ Multiple layers, application-level fragmentation ◮ Good comparison with the existing parserö öI plead guiltyfor writing the previous one ... ANSSI Securing Security Tools ö./öÏ Example of changes (real code) uint16_t cipher_suites_length = ciphers_len: be_u16 ~ input[0] << 8 | input[1]; ciphers: flat_map!(take!(ciphers_len),parse_cipher_suites) ~ input += 2; comp_len: take!(1) ~ comp: count!(be_u8, comp_len[0] as usize) ~ input += cipher_suites_length; if (!(HAS_SPACE(1))) goto invalid_length; /* skip compression methods */ uint8_t compression_methods_length = *(input++); input += compression_methods_length; ANSSI Securing Security Tools öw/öÏ The TLS parser Skipping to the results (tech. details in other slides) ◮ covers SSLvé to TLS w.ö ◮ more features than the C parser (extensions, defragmentation) ◮ some parts missing (detection keywords) ◮ less code: ~ÿ.. lines vs Ï.. for the same features ◮ rust parserisnow ~R.. lines ◮ less time to code ◮ almost entirelyzero-copy ◮ no unsafe code ANSSI Securing Security Tools öö/öÏ Bonus: TLS state machine Established Start CloseAlertError ClientHelloMsg HelloRequestMsg CloseAlertError ClientHelloMsg ◮ New parseroéers Closing Handshake ClientHelloMsg NoRegotiationWarning possibilitiestogo further HelloRequest ClientClosed ServerClosed ClientHello HelloRequestMsg ServerHelloMsg CloseAlertError CloseAlertError ServerHelloMsg ◮ ClientClosedAcknowledged ServerClosedAcknowledged ServerHello HelloRequestMsg ResumeSession HelloRequestMsg ServerKeyExchangeMsg ChangeCipherSpecMsg We can now express more CertificateMsg Server has Certificate Server has no Certificate complex securitychecks ServerCert_ServerCertificate HelloRequestMsg NoCert_ServerKeyExchange HelloRequestMsg CertificateRequestMsg ServerKeyExchangeMsg ServerHelloDoneMsg ◮ Extension: represent the TLS ServerCertCannotEnc_ServerKeyExchange HelloRequestMsg NoCert_ServerHelloDone HelloRequestMsg CertificateRequestMsg ServerHelloDoneMsg ClientKeyExchangeMsg state machine Client Certificate Requested ClientCert_CertificateRequest HelloRequestMsg ServerCert_ServerHelloDone HelloRequestMsg NoCert_ClientKeyExchange ServerHelloDoneMsg ClientKeyExchangeMsg ChangeCipherSpecMsg ◮ Detect invalid transitions ClientCert_ServerHelloDone HelloRequestMsg ServerCert_ClientKeyExchange CertificateMsg ChangeCipherSpecMsg ClientCert_ClientCertificate ClientKeyExchangeMsg ClientCert_ClientKeyExchange CertificateVerifyMsg ChangeCipherSpecMsg ClientCertCanSign_CertificateVerify ChangeCipherSpecMsg ClientChangeCipherSpec ClientFinishMsg ClientFinish HelloRequestMsg ChangeCipherSpecMsg FinishMsg ANSSI ServerChangeCipherSpec HelloRequest Securing Security Tools öé/öÏ Bonus: TLS state machine Rust representation: match (state,msg) { (TlsState::None, &TlsMessageHandshake::ClientHello(ref msg)) => { match msg.session_id { Some(_) => Ok(TlsState::AskResumeSession), _ => Ok(TlsState::ClientHello) } }, // Server certificate (TlsState::ClientHello, &ServerHello(_)) => Ok(TlsState::ServerHello), (TlsState::ServerHello, &Certificate(_)) => Ok(TlsState::Certificate), // Server certificate, no client certificate requested (TlsState::Certificate, &ServerKeyExchange(_)) => Ok(TlsState::ServerKeyExchange), Match possible on eithermessage type or content ANSSI Securing Security Tools öÿ/öÏ Are we safe now? Is the problem solved for good? ◮ Buéer over÷ows, pointer errors,doublefrees -> no more! ◮ Programming logic / algorithmic errors -> still here ◮ Compiler errors -> canhappen ANSSI Securing Security Tools öó/öÏ Lessons learned ◮ Choosing a good language helps ◮ Strong typing is great ◮ Exhaustive pattern matching ◮ Cost: learning a new language ◮ Lifetimes can be hard (for good reasons) ◮ Development time: same as C on írst parsers, faster after ◮ Debugging time: greatly reduced, no debugger required! ◮ No more segfault ANSSI Securing Security Tools öÏ/öÏ Get the code ◮ Projectmain address: https://github.com/rusticata ◮ Suricata fake app-layer + detection ◮ Rusticata: wraps parsers (only TLS for now) ◮ Design document in the Rusticata wiki ◮ Rust parsers: ◮ TLS ◮ DER ◮ NTP ◮ SNMP ◮ soon: X.ó.R, IKEvö, ... ANSSI Securing Security Tools öÅ/öÏ Conclusion ◮ Looking at things diéerently is important ◮ Try to íx bugs for good ◮ Memory-safe parsers are a huge security improvement ◮ Proof ofconcept: success ◮ Not meant to replace all existing parsers ◮ Requires some work to go further ◮ No global rewrite required, only sensitive code Questions ? ANSSI Securing Security Tools öÏ/öÏ References References [BBDL+wó] Benjamin Beurdouche, Karthikeyan Bhargavan,AntoineDelignat-Lavaud, et al. A messy state of the union: taming thecomposite state machines of TLS. In IEEE Symposium on Security & Privacy ö.wó (Oakland’wó), ö.wó. [CFwÿ] P. Chiìier and A. Fontaine. Architecture systÈme d’une sonde durcie. Conference C&ESAR, ö.wÿ. [G.wó] Couprie G. Nom, a byte oriented, streaming, zero copy, parser combinators library in rust. ö.wó IEEE Security and Privacy Workshops (SPW), ö.wó. [JOwÿ] E.Jaeger and Levillain O. Mind your language(s): A discussion about languages and security. ö.wÿ IEEE Security and Privacy Workshops (SPW), ö.wÿ. [SerwÏ] N. Seriot. Parsing json is a mineíeld. http://seriot.ch/parsing_json.html, ö.wÏ. ANSSI Securing Security Tools ö/ö.